Crack this: How to pick strong passwords and keep them that way

If there’s one thing people associate with modern technology, it’s passwords. They’re everywhere, and most of us use them for dozens of things every day. Yet most people are shockingly indifferent about their password security. Most of us probably know someone who uses the same password for everything, from their computer and email to their Facebook and bank accounts — and that password might be something as obvious as their birthday or the name of the street where they grew up. And we also probably know someone who has a sticky note on the side of their monitor labelled “Passwords” (in red, double-underlined) with a list of everything from Twitter to Netflix just sitting in the open for anyone to read.

These practices might sound like something from our grandparents’ generation, but that’s not strictly true: Last week I watched a full-fletched member of Generation D trying to shift from a Samsung Galaxy S (er, Fascinate) to an HTC Rezound via his notebook computer. How was he moving all his passwords over? He had a piece of paper in his wallet with “all his passwords” — and by all he meant three. One for email and social networking, one for his great aunt’s email (“I check it for her”), and another for everything else. Looking over his shoulder, all three were everyday words: mophandle,mumbler, and lillian. Guess which was his aunt’s?

Fortunately, there are simple ways to make passwords both hard-to-guess and easy-to-remember. Unfortunately, the technology industry sometimes gets in the way of using them. Here’s a rundown of common password weaknesses and some ways you can improve your passwords and your online safety.

Obscurity versus complexity

A common truism about passwords is that they should never be easy to guess. Most tech-savvy people agree no one should use details about themselves as a password: That includes birthdays, addresses, and names of friends and family (including parents, siblings, spouses, children, and even pets). Similarly, password makes a singularly poor password — as do all other commonly-used throwaway passwords.

This evergreen advice often gets interpreted to mean that passwords should be obscure, or a term no one would ever think you’d pick if they had a million years. Yes, obscure can work—and it’s a darn sight better than picking an obvious password. However, an obscure password only protects you from people who know something about you. Odds are, most people trying to crack your passwords don’t know you.

Most password-cracking doesn’t happen the way it’s portrayed in movies, where Our Hero (or The Villain) sits at a keyboard, tries a phrase or two, rubs his chin, then spies a childhood photo on the desk. Aha! Type the magic word and presto, security circumvented. In the real world, the vast majority of password cracking is automated, with computers literally throwing every word in the dictionary (and then some) at a system in hopes of stumbling across the correct term. This approach can work because computers can try passwords much faster than humans can type them, and they can run 24 hours a day, seven days a week, without bathroom breaks. Automated password crackers don’t know anything about the users they’re trying to compromise: It’s a brute-force approach.

So, it turns out a key to a strong password isn’t its obscurity but its complexity — things that make it less likely to be guessed by an automated password cracker. However, making a good complex password means knowing a bit about how passwords get broken.

Breaking passwords

In very general terms, password crackers typically have two approaches. One is to literally try a pre-compiled list of possible passwords. These usually start from very common passwords (like password or qwerty) and work their way down to less common terms, and eventually use a list of words compiled from an online dictionary and other sources. This approach is more likely to find passwords that are valid words or variants on them, even if they’re obscure.

Another password-cracking approach is to try valid sequences of letters, numbers, and symbols, regardless of their meaning. A password cracker using this approach might start with aaaaaaaa for an eight-character password, then try aaaaaaab then aaaaaaac and so on up the alphabet, through mixes of upper and lower case, and throwing in numbers and symbols. This approach is more likely to find passwords that are “machine-friendly” or randomly generated. A passcode like 4De78Hf1 isn’t any more difficult to find this way than teenager would be.

So, what are the odds of a password being guessed? Most systems these days enable users to create passwords using letters (upper and lower case), numbers, and a selection of symbols. Allowable symbols often vary between systems (some allow almost anything, others allow only a handful), but for our purposes let’s assume that means each character in a password can be one of about 80 values — two alphabets at 26 letters each, ten numerals, and 18 symbols. (In theory at least 127 values should be available for every character, but in practice it’s a smaller number.)

Using a purely brute force approach, that means it would take a maximum of 80 guesses to randomly figure out a one-character password. A four-character password could take over 40 million guesses (80 × 80 × 80 × 80 = 40,960,000) and an eight character password could take over 1.6 quadrillion guesses (1,677,721,600,000,000).

If a password cracker were able to make 1,000 guesses a second, it would need about a month to run all combinations of a four-character password, and over 53,000 years to run all the combinations of an 8 character password. That seems pretty secure, right?

Well, not really. In purely statistical terms, a cracker has a 50/50 chance of finding the password in half that time. More troubling, the folks who make password crackers have other ways of improving their odds. Remember how password was one of the worst passwords to use? Guess what’s also a very bad password? Passw0rd, substituting a number zero for a letter O. While password crackers are running their common words from a dictionary, they’re also trying common variants on those words, substituting zeros for O’s, @ signs and 4’s for A’s, 3’s for E’s, 1’s and !’s for I’s, 7’s for T’s 5’s for S’s, and so on. Similarly, 0qww294e is a terrible password — that’s just password shifted up one row on a standard English keyboard. These techniques prey on users’ preference for easy-to-remember passwords. Unfortunately, by substituting (or capitalizing) a character or two in an easy-to-remember term people are mostly making their passwords more obscure, but not much more secure. In fact, typical user-selected eight-character passwords with mixed case, numbers, and symbols usually only have about 30 bits of entropy, or a little over a billion possible combinations. Why? Because the list of terms people on which people base their passwords is far smaller than the total possible combinations of letters, numbers, and symbols.

How fast can passwords be broken? Trying 1,000 passwords a second might seem impossible — after all, most services tend to lock us out of our own accounts if we mistype a password three or four times, often resetting the password and requiring us to answer security questions to make a new one. These “gateway” techniques do improve account security, and incidentally, are also a great blindingly easy way to annoy people. (I can’t tell you how many times I’ve been locked out of my iTunes account by password attacks, but it’s probably over one hundred.)

However, attackers intent on breaking passwords aren’t knocking on a service’s front door and trying (literally) millions of times to log into the same account. They’re either using less-public authentication methods that aren’t subject to lockouts (like a private API for partners or apps), spreading their attacks across a broad range of accounts to avoid lockout periods, or (best case scenario) applying password cracking techniques to stolen password data. Most systems encrypt the password data they store, but those encrypted files are only as secure as the system itself. If attackers can get their hands on the encrypted password file (through a security hole, compromised machine, or social engineering, for starters) they can attack it very rapidly once it’s on their own systems. That’s why stories about attackers obtaining account information (like Stratfor, Epsilon, Sony, and Zappos) are troubling. Once the encrypted data has been pried loose, attackers can apply much more powerful tools to crack it open.

In the real world, that means the figure of 1,000 passwords per second is extremely conservative. Typical desktop computing hardware these days can test millions of passwords a second against common encryption technologies. Similarly, there are now password-cracking tools that leverage graphics processors, and criminal botnet operators are also in the password cracking business. They can spread the workload across thousands of computers. Combine this raw power with sophisticated heuristics (like trying numbers-and-letters variants on common words) and it’s not unusual to crack a typical eight-character user password in under half an hour.

Shooting ourselves in the foot

We noted above how an eight character password can, with uppercase, lowercase, numbers, and symbols, have well over a quadrillion possible combinations, but most eight-character passwords in use today fall within a pool of only about a billion combinations. That’s because humans are not machines. Where a computer is content to use either tortoise or Y&4nS0\2 as a password, guess which one is easier for a human to remember? Now, guess which one is more secure.

Some systems implement password requirements meant to ensure users don’t use easily-cracked passwords. A common approach is to require user passwords to have at least one upper-case letter, one number, one symbol, and be at least eight characters long. (Some systems don’t enforce requirements, but offer a gauge of “password strength” as a measure of how effective it thinks a password might be.) Some systems also require users to change their passwords every so often (say, every 30 or 45 days) and prevent them from re-using passwords.

These kinds of requirements do increase the security of passwords, but they also make the passwords far more difficult for people to remember. That means a significant portion of users will immediately come up with ways to subvert the security of the system for their own convenience. Sure, some people can cope with passwords like 9.3nDs(# but plenty of other people are going to respond with password-laden sticky-notes on the sides of monitors, notes in their wallets, or a Microsoft Word document on their desktop helpfully labelled “Passwords” so they can copy-and-paste when necessary. Password construction requirements also tend to hurt productivity and increase support costs (both for employees and customers), since more people will forget their passwords or be locked out of their accounts, requiring manual intervention.

Making complex passwords

The Holy Grail of passwords would then seem to be a password that is complex enough that it is impractical to crack using automated techniques, yet easy enough to remember that users don’t compromise security by storing or managing them unsafely.

Here are some tips for making complex, easy-to-remember passwords:

Use long passwords. If an eight-character password can have 1.6 quadrillion possible combinations, imagine how many a 16-character password can have? (About 2.8 nonillion, or 2.830.) However, perhaps more importantly, the set of values for a 16-character password using common terms and variations is just under 1.2 quintillion, where it was just over a billion with an eight-character password. Using longer passwords is the easiest way to make passwords more complex and more secure.

Use combined words. How to make easy-to-remember long passwords? One common technique is to use a series of three to five simple, unrelated terms. These are generally as easy to remember as PIN numbers; cognitively, people tend to remember whole words as single units. However, these passwords can be very complex, at least from the point of view of password cracking. And these passwords are easy to make just by looking around or flipping a book to a random page. Glancing left out my window I see a toy frog, a car, and the window of someone’s kitchenette. New password: FrogHubcapCupboard — that’s 18 characters, but only three words to remember. Looking right: RunnerCameraGlueString — four short words, 22 characters. I’ve only used uppercase to help break out words. Adding more characters or substitutions can increase complexity — just don’t get so complex you fall prey to the weaknesses of tough passwords.

Use phrases or lyrics. Another way of making long passwords is to use parts of phrases or lyrics. For lyrics, relatively common songs are perhaps better than ones particularly important to you: again, you don’t want people who know you well to be able to guess your passwords just because you’re a huge fan of Michael Bolton (or not). Examples of passwords made from phases or lyrics might be You’reNoJackKennedy (19 characters), iShotaManinReno (15 characters), impeepinandimcreepin (20 characters).

Use mnemonics. The downside of long passwords is that they can be difficult to type, especially on a mobile device. Another trick some people find useful for generating complex shorter passwords is using the first character of every word in a phrase or lyric. “How many roads must a man walk down” could become HmrmamwD—only eight characters, but relatively complex from the point of view of a password-cracking program. Similarly, “Shake it, shake it like a polaroid picture” could become SiSiLapp — maybe not great, but better than tortoise. This trick can also help generate good passwords for systems that have a still have a limit on how long passwords can be.

These guidelines will generally help you come up with easy-to-remember, complex passwords. Of course, when dealing with password systems with composition requirements (meaning, they expect mixed-case, numbers, or symbols) you’ll still have to come up with funky twists on passwords to fulfill those requirements. Just remember that with longer passwords, you can make your substitutions and changes in obvious places — usually, these long passwords are easier to remember even with requirements than short, nonsense passwords.

A few other hints

Other things to think about when choosing your passwords:

Use separate passwords for separate services. Don’t use your social-networking password for online banking. If a password is compromised on one service, the others should be safe.

Choose important passwords carefully. Single sign-in systems might be tremendously convenient, but also create a single point of failure for multiple services. Examples would be passwords to accounts at Google, Yahoo, and Microsoft services, where a single cracked password could give someone access to email, documents, pictures, social networking, blogs, photo libraries, contact lists, address books, and more. Similarly, with so many sites (even Digital Trends) accepting Facebook and Twitter logins, a compromised social networking password can have far-ranging repercussions.

Change your passwords. It’s tempting to think that if one of your passwords gets broken, you’ll know right away: your email will vanish, your blog will become a set of lulz graphics, your Amazon gift list might be filled with embarrassing options, your PayPal account might be cleared out. However, that’s not always the case: If someone cracks your password, there might not be any overt sign, at least not right away. By changing your password regularly, you ensure that even if someone breaks in, their window of opportunity to exploit you is limited. The frequency with which you should change passwords varies with how you use online services. For anything involving real money, I generally recommend users change their passwords every 30 to 90 days — the more money, the more often.

No password is safe

Perhaps the most important thing to remember about passwords is that any password can be cracked: It’s just a question of how much time and effort someone is willing to put into it. The tips here will help reduce the odds your passwords will be rooted out by random attackers and even friends and family, but no password is completely secure. If secure access to a service is very important to you, consider looking into various forms of multiple-factor authentication to further reduce the chances of unauthorized access.